Analysis
-
max time kernel
87s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 16:51
Static task
static1
Behavioral task
behavioral1
Sample
Bank Swift.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Bank Swift.exe
Resource
win10v2004-20221111-en
General
-
Target
Bank Swift.exe
-
Size
830KB
-
MD5
aacbef36fa202e5eb1512c99022ef31c
-
SHA1
97a12e69a35a037f34bbd4b4d779326bdb99ac7e
-
SHA256
4d4be5a0fb152cb0f795f6ce36b1b3e4e69234681e36c41f3760858b4d38aa31
-
SHA512
5648dbe1a6c3f6aef53b1c14ba50b3837c2671a00934a0c3049d31711b6e61f972b2d7b1b3531ea6db671e0a22ec208759e1aa0547ce5cf4e906a201756dc84a
-
SSDEEP
24576:Cw/HDtU376CVtv1ekon6imVSE/HHkFg/IyXtrpc:o3tv1jftfkoXVp
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1644755040:AAGRTnph6BdO8-t1bJaOyVu9aeuJErmisqs/sendMessage?chat_id=1637651323
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/984-64-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/984-66-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/984-68-0x00000000004202EE-mapping.dmp family_snakekeylogger behavioral1/memory/984-67-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/984-70-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/984-72-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank Swift.exedescription pid process target process PID 1192 set thread context of 984 1192 Bank Swift.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Bank Swift.exeRegSvcs.exepid process 1192 Bank Swift.exe 984 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bank Swift.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1192 Bank Swift.exe Token: SeDebugPrivilege 984 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Bank Swift.exedescription pid process target process PID 1192 wrote to memory of 1764 1192 Bank Swift.exe schtasks.exe PID 1192 wrote to memory of 1764 1192 Bank Swift.exe schtasks.exe PID 1192 wrote to memory of 1764 1192 Bank Swift.exe schtasks.exe PID 1192 wrote to memory of 1764 1192 Bank Swift.exe schtasks.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe PID 1192 wrote to memory of 984 1192 Bank Swift.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank Swift.exe"C:\Users\Admin\AppData\Local\Temp\Bank Swift.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rUVcgRH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2453.tmp"2⤵
- Creates scheduled task(s)
PID:1764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD533e951410efc26a87e4c9e6275b154b5
SHA1cc72f6faf971d1156b6dcd1bac1ca790fe2b0e98
SHA256ed1bea773ce9b968c36416b71f96273769f6953f8d124f2cba09757c363a8eef
SHA512f48155ff5d948cd32c9e98d9cc57518e5ce17eda48e3c579149ce7a55d752b7e8c0bfbaba418275611582b793170d3b80726d6ecb35e92f282703d203106938f